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           Extended BGP Administrative Shutdown Communication

Abstract

   This document enhances the BGP Cease NOTIFICATION message
   "Administrative Shutdown" and "Administrative Reset" subcodes for
   operators to transmit a short free-form message to describe why a BGP
   session was shut down or reset.  This document updates RFC 4486 and
   obsoletes RFC 8203 by defining an Extended BGP Administrative
   Shutdown Communication of up to 255 octets to improve communication
   using multibyte character sets.
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1.  Introduction

   It can be troublesome for an operator to correlate a BGP-4 [RFC4271]
   session teardown in the network with a notice that was transmitted
   via offline methods, such as email or telephone calls.  This document
   updates [RFC4486] by specifying a mechanism to transmit a short free-
   form UTF-8 [RFC3629] message as part of a Cease NOTIFICATION message
   [RFC4271] to inform the peer why the BGP session is being shut down
   or reset.  This document obsoletes [RFC8203]; the specific
   differences and rationale are discussed in detail in Appendix A.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Shutdown Communication

   If a BGP speaker decides to terminate its session with a BGP
   neighbor, and it sends a NOTIFICATION message with the Error Code
   "Cease" and Error Subcode "Administrative Shutdown" or
   "Administrative Reset" [RFC4486], it MAY include a UTF-8-encoded
   string.  The contents of the string are at the operator's discretion.

   The Cease NOTIFICATION message with a Shutdown Communication is
   encoded as below:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Error Code 6  |    Subcode    |    Length     |     ...       \
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               /
   \                                                               \
   /                 ... Shutdown Communication ...                /
   \                                                               \
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                  Figure 1

   Subcode:  The Error Subcode value MUST be one of the following
      values: 2 ("Administrative Shutdown") or 4 ("Administrative
      Reset").

   Length:  This 8-bit field represents the length of the Shutdown
      Communication field in octets.  When the length value is zero, no
      Shutdown Communication field follows.

   Shutdown Communication:  To support international characters, the
      Shutdown Communication field MUST be encoded using UTF-8.  A
      receiving BGP speaker MUST NOT interpret invalid UTF-8 sequences.
      Note that when the Shutdown Communication contains multibyte
      characters, the number of characters will be less than the length
      value.  This field is not NUL terminated.  UTF-8 "Shortest Form"
      encoding is REQUIRED to guard against the technical issues
      outlined in [UTR36].

   Mechanisms concerning the reporting of information contained in the
   Shutdown Communication are implementation specific but SHOULD include
   methods such as syslog [RFC5424].

3.  Operational Considerations

   Operators are encouraged to use the Shutdown Communication to inform
   their peers of the reason for the shutdown of the BGP session and
   include out-of-band reference materials.  An example of a useful
   Shutdown Communication would be:

   "[TICKET-1-1438367390] software upgrade; back in 2 hours"

   "[TICKET-1-1438367390]" is a ticket reference with significance to
   both the sender and receiver, followed by a brief human-readable
   message regarding the reason for the BGP session shutdown followed by
   an indication about the length of the maintenance.  The receiver can
   now use the string 'TICKET-1-1438367390' to search in their email
   archive to find more details.

   If a Shutdown Communication longer than 128 octets is sent to a BGP
   speaker that implements [RFC8203], then that speaker will treat it as
   an error, the consequence of which should be a log message.

   If a Shutdown Communication of any length is sent to a BGP speaker
   that implements neither [RFC8203] nor this specification, then that
   speaker will treat it as an error, the consequence of which should be
   a log message.

   In any case, a receiver of a NOTIFICATION message is unable to
   acknowledge the receipt and correct understanding of any Shutdown
   Communication.

   Operators should not rely on Shutdown Communications as their sole
   form of communication with their peers for important events.

   If it is known that the peer BGP speaker supports this specification,
   then a Shutdown Communication that is not longer than 255 octets MAY
   be sent.  Otherwise, a Shutdown Communication MAY be sent, but it
   SHOULD NOT be longer than 128 octets.

4.  Error Handling

   If a Shutdown Communication with an invalid UTF-8 sequence is
   received, a message indicating this event SHOULD be logged for the
   attention of the operator.  An erroneous or malformed Shutdown
   Communication itself MAY be logged in a hexdump format.

5.  IANA Considerations

   IANA has referenced this document at subcodes "Administrative
   Shutdown" and "Administrative Reset" in the "BGP Cease NOTIFICATION
   message subcodes" registry under the "Border Gateway Protocol (BGP)
   Parameters" group in addition to [RFC4486].

6.  Security Considerations

   This document uses UTF-8 encoding for the Shutdown Communication.
   There are a number of security issues with Unicode.  Implementers and
   operators are advised to review Unicode Technical Report #36 [UTR36]
   to learn about these issues.  UTF-8 "Shortest Form" encoding is
   REQUIRED to guard against the technical issues outlined in [UTR36].

   As BGP Shutdown Communications are likely to appear in syslog output,
   there is a risk that carefully constructed Shutdown Communication
   might be formatted by receiving systems in a way to make them appear
   as additional syslog messages.  The 255-octet length limit on the BGP
   Shutdown Communication may help limit the ability to mount such an
   attack.

   Users of this mechanism should be aware that unless a transport that
   provides integrity is used for the BGP session in question, a
   Shutdown Communication message could be forged.  Unless a transport
   that provides confidentiality is used, a Shutdown Communication
   message could be snooped by an attacker.  These issues are common to
   any BGP message, but they may be of greater interest in the context
   of this proposal since the information carried in the message is
   generally expected to be used for human-to-human communication.
   Refer to the related considerations in [RFC4271] and [RFC4272].

   Users of this mechanism should consider applying data minimization
   practices as outlined in Section 6.1 of [RFC6973] because a received
   Shutdown Communication may be used at the receiver's discretion.
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Appendix A.  Changes to RFC 8203

   The maximum permitted length was changed from 128 to 255.

   Feedback from operators based in regions that predominantly use
   multibyte character sets showed that messages similar in meaning to
   what can be sent in other languages using single-byte encoding failed
   to fit within the length constraints as specified by [RFC8203].  For
   example, the phrase "Planned work to add switch to stack.  Completion
   time - 30 minutes" has a length of 65 bytes.  Its translation in
   Russian has a length of 139 bytes.

   If a Shutdown Communication message longer than 128 octets is sent to
   a BGP speaker that implements [RFC8203], then that speaker will bring
   it to the attention of an operator but will otherwise process the
   NOTIFICATION message as normal.
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